Tag Archives: it compliance and controls

Questions that must be managed by the COO and CIO of every business relates to dedicating finite resources across the company. The products and services sold the by the business are developed and delivered to market as rapidly as possible in a race to be competitive. In the startup realm the concept of building in security, compliance, and privacy elements is very low priority. In most cases startups (and skunkworks within larger enterprises) depend upon the security of the libraries (ruby on rails, java libraries, etc…) and product components (UL Certified) to deliver security. Unfortunately depending upon the security and safety of the individual pieces is insufficient and inadequate when the elements (from here forward meant to refer to technology code and physical product components) are brought together in a new and non-obvious way. The emergence of these new products and services introduces dependencies, communication channels, new operating environments, and custom elements that reduce or eliminate the security-compliance-privacy elements that existed individually.

Leadership must then prioritize as immediately possible to introduce security-compliance-privacy. Companies certainly benefit by building these natively within the products and services at the Design & Build stage, as it is cheaper to build once then to re-design / re-code to meet the market expectation of security-compliance-privacy. The case when the organization must review its existing portfolio and decide what should be done, is the focus of this article. An analysis is necessary to evaluate the landscape of necessary and appropriate security-compliance-privacy requirements, and which products or services should be updated.

Or stated another way …

Where on the game board do the services and products of our company get prioritized to receive compliance, security, and privacy ‘attention’?

Such an analysis should at least include:

Listing of all required regulations and business best practices

Listing of all legal and contractual obligations

Discovery of similar product / services in the market and list any requirements outlined resulting from litigation and similar government agency enforcement actions

Strategic roadmap review – identify any likely near term requirements

Listing of all requirements the individual products & services will be subject to from the customer’s perspective

At this point a robust listing exists on what the products and services should support. A cross-map of these requirements should then be produced for optimized adoption and sustained operation. The cross map will also provide the design specifications that will contribute to the use cases and product development life cycle. An example of such is below:

The above then (in sequence 1 to 5) are placed on your product / services game board and prioritization and risk management are possible. This is a process I designed in 2008 and have enhanced based on experience and client feedback building global security and compliance programs. Your program may need to consider additional facts and realities. I would love to hear your thoughts to enhance and challenge this method.

Latest report shows significant changes in the scale and type of attacks being executed, as recorded by one of the largest internet infrastructure companies that includes additional data sources. Akamai published their quarterly report today (January 23, 2013) and I am nearly through it … a few striking details that shift how I will recommend clients to identify; consider; and mitigate risks. The top two items that are significant (one obvious) and important include:

China held its spot as the #1 source of observed attack traffic at 33%, with the United States at #2 at 13% (Not a huge surprise but an affirmation for many)

The amount of attack traffic that was seen during the activist (Operation Ababil) DDoS attacks was ~60x larger than the greatest amount of traffic that it had seen before for similar activist-related attacks (The volume, intensity, and strategy of the attacks is important as most do not consider a SIXTY TIMES in factor in risk mitigation calculations)

About the Akamai State of the Internet report
Each quarter, Akamai publishes a “State of the Internet” report. This report includes data gathered from across the Akamai Intelligent Platform about attack traffic, broadband adoption, mobile connectivity and other relevant topics concerning the Internet and its usage, as well as trends seen in this data over time. Please visit www.akamai.com/stateoftheinternet

Senior leadership (board of directors, audit committee members, CIO, COO) must ensure these realities are absorbed into the organization’s business processes. Leadership and strategy shifts required to tackle these evolutions remains an executive responsibility.

“The 31-page proposal addresses how social media impacts compliance and legal risk, operational risk, reputational risk, and an increased risk of harm to consumers. While the agencies note that no additional regulations apply to social media, the relatively casual communication channels are not exempt from the rules, either.

According to the proposal, social media risk management programs should include a governance structure that includes how social media contributes to strategic goals, policies and procedures, third party due diligence, employee training, oversight, audit and compliance functions, and a reporting process.” – reference

Considering the velocity of the risks in this area and the lagging of legislation, it is fair to say that those even OUTSIDE the purview of the FFIEC, should strongly consider these as inputs to their compliance and security programs.

“The FFIEC invites comments on any aspect of the proposed guidance. It is specifically seeking comments on the following questions:

Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?

Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?

Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?”

What is it? Commonly referred to as Bring Your Own Device, it refers to the unstoppable trend of end-users within enterprises utilizing consumer devices in the word place. This is a simplification, but captures the essence of how board of directors are using iPads, and how Facebook became a permitted service inside organizations. (the Facebook example is a poor one, as that is an Application .. but that will be raised in a future discussion).

The challenge to enterprises is how to enable these end-users with these technologies? How to gain efficiencies and advantage? How to allow end-users to be happy with their ability to self select their devices. As ultimately, the end-users within corporations are quite happy with their iPhones and such devices .. it is only the need of corporate IT to streamline the integration.

Here is where things become interesting …

BYOD in most regions of the world refers to “Bring” your own device, while in certain regions it refers to “Buy” your own device. Ownership of the device is quite important legally, upon how someone uses that device, and what controls are generally accepted.

In the United States for instance – end-users Bring and Buy their own devices, generally. This means that Corporate IT must wrestle with ownership, MDM, and a diverse device / OS ecosystem. Such challenges center on the ability to fully wipe a device in case of a policy violation. The capability to fully monitor and restrict via policy the permitted applications. In addition simply utilizing the full breadth of technology on the device – i.e., conjoining GPS proximity technology with multifactor authentication to increase the confidence of user credentials when within corporate offices (a general uneasy concept with personal devices, but something magically simple when the whole device is owned and part of the operations and security ecosystem).

In other regions, such as in Europe, the devices are purchased by the business and provided to the end-users.

So is it really “BYOD” or not, for intents and purposes the end-user drive; the customization applied to these devices; the personalization, and such are all identical to that of the U.S. BYOD. The difference is in HOW the user interfaces with the device and WHAT can be done to safeguard the device.

How is your organization managing these cross cultural perspectives?

How have you considered the cost and operational expenses of each BYOD?

What are the implications for security, compliance, and long term competitiveness (as it is ultimately being competitive that ensures that security and compliance will continue to matter)

Business operations, electing and incorporating mobile / BYOD technology is obviously a decision that has been made by most organizations. Either by the rebelling user base, or through sanctioned programs. The next field of play is to focus on the cultural aspects and embrace a forward looking vision at the emerging legislation related to such protections & expectations of consumers.

What is a good security compliance program? How do you measure the performance? How do you communicate and work with the senior leadership of your company the current state of operations and the future? A single approach to this would be to compare yourself against your peers. (Defining your peers is dependent upon each individual product and service. To often businesses classify their industry based on the business as a whole and lose sensitivity to the context of the individual service and product line.) More specifically when analyzing the security compliance program, specific areas and metrics can be considered (the specific competitiveness and leading indicators of your security compliance program must cover additional areas).

To consider the state of your security compliance program compared to your peers, the following points should be considered and tracked at the executive leadership level:

How do you compare to your competitors? This statement alone requires that the leadership team of the security compliance program has these defined explicitly

In the market place what deals have you won or lost, to whom, and what product / services were involved?

What is the customer attrition – by customer type; rationale?

What is the amount of queries being submitted to sales, engineers, customer support, and executives regarding security compliance to the business?

An analysis of these four points within the context of security compliance will clarify any areas where the program is negatively and positively effecting the market strength of the product and services for the business.

The security compliance program of an enterprise is a core function in the achievement of sales, maintaining regulatory and contractual obligations, meeting the security challenges in a connected world, and achieving a balance of consistent operations while returning a profit for the business. A challenge within these programs, and especially for businesses do that do not have a consolidated mature program operating at the executive level is the transparency of cost and improvement of margins within operations.

Transparency of cost relates to the costs of supporting compliance, security, and privacy requirements within products and services. The lack of transparency can exist in many areas, but this article focuses on the specific costs related to reporting to third parties on the state of the compliance and security program. Cost of such can exist in any of the following scenarios:

Sales person seeking to close a sale brings onboard an engineer and product manager to speak to / commit on security and regulation safeguards. Such initiation of new agreements may require a 250+ questionnaire to be completed by such an engineer that typically requires additional parties to respond – resulting in roughly 30-50 hours of engineer time x % of new deals signed annually)

The end result of this singular area of cost is time taken from valuable engineers away from developing product, improving product, and executives focused on tactical activities. In addition, a non-optimized security compliance program does not gain any leverage by the above activities, so each activity is repeating past work. Zero scale is achieved.

Reflecting on your organization, improvements can be gained. An attribute that has proven beneficial is to consider the following that easily measurable and can be tracked:

What is the unique number of security and compliance controls deployed within the products & services?

What is the number of queries for each period?

What is the number of FTE hours to address these queries? (the above are averages that I have seen, but analysis is worth refreshing for your organization)

What is the number of interactions the individuals have with the customers?

What is the current central approach to meeting the needs and responding to such queries?

The last question is leading to the idea that the program should be centralized in a manner to manage these questions centrally. This provides scale, lessons learned, and coordination across the business. The program itself when designed and tracked in such a manner becomes part of the sales process, account maintenance, and a regular touch point for the customer. Establishing the proper executive leadership and integrating this program is critical to every direct to consumer business, and more so for the rapidly growing technology services sector.

In 2008 I wrote a book, partially on the premise of cross mapping regulations together in a manner to build a common control framework for enterprises. The genius here was to address all requirements placed upon the business to meet their unique security and regulatory footprint. The more and more I work with senior leadership of businesses and security professionals I recognize there is a gap. The security professionals pushing for tighter and richer security safeguards, and the business seeking sales.

Upon reflection I realize that there is a gap in the broader approach and a blind spot that I and others likely have in enterprises, and that is the customer requirements.

Specifically, the cross mapping I proposed is correct but it did not go far enough, and from my analysis nobody goes far enough. Therefore I would propose enterprises and security compliance programs in general consider expanding their programs to include Market requirements.

The mapping would be from customer requirements (such as SEC, IRS, and specific industry best practices) to the security controls of the business itself. This would influence and ultimately increase the security of the service. In addition, sales blockers would be removed and ongoing associated costs with maintaining accounts would equally be reduced.

A common statement / question:What are all the things we need to compliant with in the world?

Corrected question: What do our clients need to be compliant with when using our services?

(the first question absolutely must be understood and ideally is a known variable, so this corrected question is the evolution of thought and the program itself)

A shift in my thinking over the past year, and one I hope can be further debated and evolved.